Skip to content

Commit 9149b89

Browse files
feat: support custom upsteam ca cert (#340)
* feat(main.go, routes.go): custom upsteam ca cert Signed-off-by: Yuval Dekel <yuvddd05@gmail.com> * fix(main.go): missig ) Signed-off-by: Yuval Dekel <yuvddd05@gmail.com> * fix(routes.go): import os Signed-off-by: Yuval Dekel <yuvddd05@gmail.com> * fix(routes.go): fix otp to opt Signed-off-by: Yuval Dekel <yuvddd05@gmail.com> * fix(main.go): fix misspell Signed-off-by: Yuval Dekel <yuvddd05@gmail.com> * fix(routes.go): lint errorf not capitalized Signed-off-by: Yuval Dekel <yuvddd05@gmail.com> * fix(routes.go) fix error Signed-off-by: Yuval Dekel <yuvddd05@gmail.com> * fix(routes.go): struct spaces Signed-off-by: Yuval Dekel <yuvddd05@gmail.com> * fix(routes.go): logger spaces Signed-off-by: Yuval Dekel <yuvddd05@gmail.com> * fix remove white spaces Signed-off-by: Yuval Dekel <yuvddd05@gmail.com> * remove white spaces Signed-off-by: Yuval Dekel <yuvddd05@gmail.com> * fix(main.go): fix upstream ca path description Co-authored-by: Simon Pasquier <spasquie@redhat.com> Signed-off-by: Yuval dekel <153660450+yuvaldekel@users.noreply.github.com> * fix(routes.go): remove redundant new line Co-authored-by: Simon Pasquier <spasquie@redhat.com> Signed-off-by: Yuval dekel <153660450+yuvaldekel@users.noreply.github.com> * fix align Signed-off-by: Yuval Dekel <yuvddd05@gmail.com> * fix(routes.go): init TLSClientConfig Signed-off-by: Yuval Dekel <yuvddd05@gmail.com> * fix(routes.go): remove transport from struct Signed-off-by: Yuval Dekel <yuvddd05@gmail.com> * define transport Signed-off-by: Yuval Dekel <yuvddd05@gmail.com> --------- Signed-off-by: Yuval Dekel <yuvddd05@gmail.com> Signed-off-by: Yuval dekel <153660450+yuvaldekel@users.noreply.github.com> Co-authored-by: Simon Pasquier <spasquie@redhat.com>
1 parent e2f8785 commit 9149b89

File tree

2 files changed

+34
-5
lines changed

2 files changed

+34
-5
lines changed

injectproxy/routes.go

Lines changed: 27 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ package injectproxy
1616
import (
1717
"context"
1818
"crypto/tls"
19+
"crypto/x509"
1920
"encoding/json"
2021
"errors"
2122
"fmt"
@@ -24,6 +25,7 @@ import (
2425
"net/http"
2526
"net/http/httputil"
2627
"net/url"
28+
"os"
2729
"regexp"
2830
"slices"
2931
"sort"
@@ -57,6 +59,7 @@ type routes struct {
5759
}
5860

5961
type options struct {
62+
upstreamCaCert string
6063
enableLabelAPIs bool
6164
passthroughPaths []string
6265
insecureSkipVerify bool
@@ -84,6 +87,13 @@ func WithPrometheusRegistry(reg prometheus.Registerer) Option {
8487
})
8588
}
8689

90+
// WithUpstreamCaCert configures the proxy to use the custom ca certificate for the upstream.
91+
func WithUpstreamCaCert(caCert string) Option {
92+
return optionFunc(func(o *options) {
93+
o.upstreamCaCert = caCert
94+
})
95+
}
96+
8797
// WithEnabledLabelsAPI enables proxying to labels API. If false, "501 Not implemented" will be return for those.
8898
func WithEnabledLabelsAPI() Option {
8999
return optionFunc(func(o *options) {
@@ -419,13 +429,26 @@ func NewRoutes(upstream *url.URL, label string, extractLabeler ExtractLabeler, o
419429
}
420430

421431
// Configure tls for proxy
422-
tlsConfig := &tls.Config{}
423-
tlsConfig.InsecureSkipVerify = opt.insecureSkipVerify
432+
transport := http.DefaultTransport.(*http.Transport).Clone()
433+
transport.TLSClientConfig = &tls.Config{
434+
InsecureSkipVerify: opt.insecureSkipVerify,
435+
}
436+
437+
if opt.upstreamCaCert != "" {
438+
caCert, err := os.ReadFile(opt.upstreamCaCert)
439+
if err != nil {
440+
return nil, fmt.Errorf("failed to read CA certificate: %v", err)
441+
}
442+
443+
caCertPool := x509.NewCertPool()
444+
if ok := caCertPool.AppendCertsFromPEM(caCert); !ok {
445+
return nil, fmt.Errorf("failed to append CA cert to pool")
446+
}
424447

425-
proxy.Transport = &http.Transport{
426-
TLSClientConfig: tlsConfig,
448+
transport.TLSClientConfig.RootCAs = caCertPool
427449
}
428450

451+
proxy.Transport = transport
429452
proxy.ModifyResponse = r.ModifyResponse
430453
proxy.ErrorHandler = r.errorHandler
431454
proxy.ErrorLog = log.Default()

main.go

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,7 @@ func main() {
5959
insecureListenAddress string
6060
internalListenAddress string
6161
upstream string
62+
upstreamCaCert string
6263
queryParam string
6364
headerName string
6465
label string
@@ -78,9 +79,10 @@ func main() {
7879
flagset := flag.NewFlagSet(os.Args[0], flag.ExitOnError)
7980
flagset.StringVar(&insecureListenAddress, "insecure-listen-address", "", "The address the prom-label-proxy HTTP server should listen on.")
8081
flagset.StringVar(&internalListenAddress, "internal-listen-address", "", "The address the internal prom-label-proxy HTTP server should listen on to expose metrics about itself.")
81-
flagset.StringVar(&queryParam, "query-param", "", "Name of the HTTP parameter that contains the tenant value.At most one of -query-param, -header-name and -label-value should be given. If the flag isn't defined and neither -header-name nor -label-value is set, it will default to the value of the -label flag.")
82+
flagset.StringVar(&queryParam, "query-param", "", "Name of the HTTP parameter that contains the tenant value. At most one of -query-param, -header-name and -label-value should be given. If the flag isn't defined and neither -header-name nor -label-value is set, it will default to the value of the -label flag.")
8283
flagset.StringVar(&headerName, "header-name", "", "Name of the HTTP header name that contains the tenant value. At most one of -query-param, -header-name and -label-value should be given.")
8384
flagset.StringVar(&upstream, "upstream", "", "The upstream URL to proxy to.")
85+
flagset.StringVar(&upstreamCaCert, "upstream-ca-cert", "", "The upstream ca certificate file.")
8486
flagset.StringVar(&label, "label", "", "The label name to enforce in all proxied PromQL queries.")
8587
flagset.Var(&labelValues, "label-value", "A fixed label value to enforce in all proxied PromQL queries. At most one of -query-param, -header-name and -label-value should be given. It can be repeated in which case the proxy will enforce the union of values.")
8688
flagset.BoolVar(&enableLabelAPIs, "enable-label-apis", false, "When specified proxy allows to inject label to label APIs like /api/v1/labels and /api/v1/label/<name>/values. "+
@@ -132,6 +134,10 @@ func main() {
132134
)
133135

134136
opts := []injectproxy.Option{injectproxy.WithPrometheusRegistry(reg)}
137+
if upstreamCaCert != "" {
138+
opts = append(opts, injectproxy.WithUpstreamCaCert(upstreamCaCert))
139+
}
140+
135141
if enableLabelAPIs {
136142
opts = append(opts, injectproxy.WithEnabledLabelsAPI())
137143
}

0 commit comments

Comments
 (0)